YAMAHA RTX1210 2대의 프레이츠 네트워크를 사용하여 통신하는 L2 TPv3/IPsec 통신
1. 시작
라우터 문외한이지만 RTX810에서 L2TP/IPsec을 5년 정도 사용했고, 반년 전쯤에는 RTX12102대의 프레이츠망 리턴 통신을 사용해 L2 TPv3/IPsec 통신으로 변경해 그 결과를 정리했다.
MAP-E(IPv4over IPv6)는 HGW(PR-500KI)가 맡고 RTX1210을 HGW 밑에 연결하는 이중 공유기로 구성되어 있다.
인터넷 문외한이 다양한 사이트의 내용을 조합해 잘못된 내용을 시험적으로 실시하기 때문에 여분의 설정과 오류 가능성이 있기 때문이다.
2. 네트워크 구성
컨텐트
192.168.1.1
PR-500KI
192.168.1.254
RTX1210 LAN2
192.168.2.1
RTX1210 LAN1
192.168.2.3
IP 주소가 필요한지 잘 모르겠습니다.
192.168.2.10-49
DHCP(DHCP 서버는 노드 1의 RTX1210)
192.168.2.100-199
고정 IP 주소 범위(이 범위만 사용하고 구성에 대한 설명이 없음)
컨텐트
192.168.1.1
PR-500KI
192.168.1.254
RTX1210 LAN2
192.168.2.2
RTX1210 LAN1
192.168.2.4
IP 주소가 필요한지 잘 모르겠습니다.
192.168.2.50-89
DHCP(DHCP 서버는 노드 2의 RTX1210)
192.168.2.200-249
고정 IP 주소 범위(이 범위만 사용하고 구성에 대한 설명이 없음)
※ 거점 1, 2는 L2 TPv3로 192.168.2.0/24 공유.192.168.1.0/24는 각 거점의 서로 다른 네트워크이다.
3. PR-500KI 설정
거점 1, 거점 2 모두 같다.
값
IPv6 방화벽 기능
유효(초기)
IPv6 보안 수준
※ flitz 네트워크에서 통신 반환 허용
값
유효/무효
체크됨(편집 후 목록에서 설정)
항목 번호
1 (임의)
대상 IP 주소/마스크 길이
192.168.2.0/24
게이트웨이
192.168.1.254
4. 미리 준비한 정보
항목
값
사전 공유 키
임의로
L2 TP 터널 인증 암호
임의로
노드 1DDNS 호스트 이름
i.open.ad.jp를 통해 획득
노드 2DDNS 호스트 이름
i.open.ad.jp를 통해 획득
노드 1 전용 호스트 이름 업데이트
i.open.ad.jp를 통해 획득
노드 2 전용 호스트 이름 업데이트
i.open.ad.jp를 통해 획득
5. 거점 1 하이픈 console lines infinity
login timer 300
no dhcp service
no dhcp server rfc2131 compliant except remain-silent
no dhcp scope 1
no ip lan1 address
console prompt kyoten1
ip lan1 address 192.168.2.1/24
ip lan2 address 192.168.1.254/24
ip lan2 nat descriptor 1
ip filter 500000 restrict * * * * *
ipv6 routing on
ipv6 lan2 address auto
ipv6 prefix 1 ra-prefix@lan2::/64
ipv6 lan1 address ra-prefix@lan2::1/64
ipv6 lan1 rtadv send 1 o_flag=on
ipv6 lan1 dhcp service server
description lan2 toHGW
ipv6 lan2 dhcp service client ir=on
ipv6 lan2 secure filter in 101000 101001 101002 101003 101004 101005 101006 101078
ipv6 lan2 secure filter out 101079 dynamic 101080 101081 101082 101083 101084 101085 101098 101099
ipv6 filter 101000 pass * * icmp6 * *
ipv6 filter 101001 pass * * tcp * ident
ipv6 filter 101002 pass * * udp * 546
ipv6 filter 101003 pass * * esp * *
ipv6 filter 101004 pass * * udp * 500
ipv6 filter 101005 pass * * udp * 1701
ipv6 filter 101006 pass * * udp * 4500
ipv6 filter 101078 reject * * * * *
ipv6 filter 101079 pass * * * * *
ipv6 filter dynamic 101080 * * ftp
ipv6 filter dynamic 101081 * * domain
ipv6 filter dynamic 101082 * * www
ipv6 filter dynamic 101083 * * smtp
ipv6 filter dynamic 101084 * * pop3
ipv6 filter dynamic 101085 * * submission
ipv6 filter dynamic 101098 * * tcp
ipv6 filter dynamic 101099 * * udp
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.2.10-192.168.2.49/24
dhcp scope option 1 router=192.168.2.1
dhcp scope option 1 dns=192.168.2.1
dns host lan1
dns service fallback on
dns server 2001:4860:4860::8888 2001:4860:4860::8844
dns server select 500000 dhcp lan2 any .
dns private address spoof on
dashboard accumulate traffic on
bridge member bridge1 lan1 tunnel1
ip bridge1 address 192.168.2.3/24
pp disable all
no tunnel enable all
tunnel select 1
tunnel encapsulation l2tpv3
tunnel endpoint name <拠点2 DDNSホスト名>.i.open.ad.jp fqdn
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike keepalive use 1 on
ipsec ike keepalive log 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text <事前共有鍵>
ipsec ike remote address 1 <拠点2 DDNSホスト名>.i.open.ad.jp
l2tp hostname kyoten1-host
l2tp always-on on
l2tp tunnel auth on <L2TPトンネル認証パスワード>
l2tp tunnel disconnect time off
l2tp keepalive use on 5 10
l2tp keepalive log on
l2tp syslog on
l2tp remote end-id vpn
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select none
nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 auto
nat descriptor masquerade static 1 1 192.168.2.1 esp
nat descriptor masquerade static 1 2 192.168.2.1 udp 500
nat descriptor masquerade static 1 3 192.168.2.1 udp 1701
nat descriptor masquerade static 1 4 192.168.2.1 udp 4500
ipsec transport 1 101 udp 1701
ipsec auto refresh on
ip route default gateway 192.168.1.1
schedule at 1 */* *:*:00 * lua -e "rt.command(\"ping6 <拠点1更新専用ホスト名>.i.open.ad.jp\")"
l2tp service on l2tpv3
tunnel select 1
ip tunnel secure filter in 1 2
ip filter 1 reject * * udp dhcps,dhcpc dhcps,dhcpc
ip filter 2 pass * *
tunnel select none
heartbeat2 myname keepalive
heartbeat2 transmit 1 auth keepalive 192.168.2.2
heartbeat2 transmit interval 30
heartbeat2 transmit enable 1
tftp host 192.168.2.1-192.168.2.255
httpd host 192.168.2.1-192.168.2.255
6. 거점 2 하이픈 console lines infinity
login timer 300
no dhcp service
no dhcp server rfc2131 compliant except remain-silent
no dhcp scope 1
no ip lan1 address
console prompt kyoten2
ip lan1 address 192.168.2.2/24
ip lan2 address 192.168.1.254/24
ip lan2 nat descriptor 1
ip filter 500000 restrict * * * * *
ipv6 routing on
ipv6 lan2 address auto
ipv6 prefix 1 ra-prefix@lan2::/64
ipv6 lan1 address ra-prefix@lan2::1/64
ipv6 lan1 rtadv send 1 o_flag=on
ipv6 lan1 dhcp service server
description lan2 toHGW
ipv6 lan2 dhcp service client ir=on
ipv6 lan2 secure filter in 101000 101001 101002 101003 101004 101005 101006 101078
ipv6 lan2 secure filter out 101079 dynamic 101080 101081 101082 101083 101084 101085 101098 101099
ipv6 filter 101000 pass * * icmp6 * *
ipv6 filter 101001 pass * * tcp * ident
ipv6 filter 101002 pass * * udp * 546
ipv6 filter 101003 pass * * esp * *
ipv6 filter 101004 pass * * udp * 500
ipv6 filter 101005 pass * * udp * 1701
ipv6 filter 101006 pass * * udp * 4500
ipv6 filter 101078 reject * * * * *
ipv6 filter 101079 pass * * * * *
ipv6 filter dynamic 101080 * * ftp
ipv6 filter dynamic 101081 * * domain
ipv6 filter dynamic 101082 * * www
ipv6 filter dynamic 101083 * * smtp
ipv6 filter dynamic 101084 * * pop3
ipv6 filter dynamic 101085 * * submission
ipv6 filter dynamic 101098 * * tcp
ipv6 filter dynamic 101099 * * udp
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.2.50-192.168.2.89/24
dhcp scope option 1 router=192.168.2.2
dhcp scope option 1 dns=192.168.2.2
dns host lan1
dns service fallback on
dns server 2001:4860:4860::8888 2001:4860:4860::8844
dns server select 500000 dhcp lan2 any .
dns private address spoof on
dashboard accumulate traffic on
bridge member bridge1 lan1 tunnel1
ip bridge1 address 192.168.2.4/24
pp disable all
no tunnel enable all
tunnel select 1
tunnel encapsulation l2tpv3
tunnel endpoint name <拠点1 DDNSホスト名>.i.open.ad.jp fqdn
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike keepalive use 1 on
ipsec ike keepalive log 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text <事前共有鍵>
ipsec ike remote address 1 <拠点1 DDNSホスト名>.i.open.ad.jp
l2tp hostname kyoten2-host
l2tp always-on on
l2tp tunnel auth on <L2TPトンネル認証パスワード>
l2tp tunnel disconnect time off
l2tp keepalive use on 5 10
l2tp keepalive log on
l2tp syslog on
l2tp remote end-id vpn
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select none
nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 auto
nat descriptor masquerade static 1 1 192.168.2.2 esp
nat descriptor masquerade static 1 2 192.168.2.2 udp 500
nat descriptor masquerade static 1 3 192.168.2.2 udp 1701
nat descriptor masquerade static 1 4 192.168.2.2 udp 4500
ipsec transport 1 101 udp 1701
ipsec auto refresh on
ip route default gateway 192.168.1.1
schedule at 1 */* *:*:00 * lua -e "rt.command(\"ping6 <拠点2更新専用ホスト名>.i.open.ad.jp\")"
l2tp service on l2tpv3
tunnel select 1
ip tunnel secure filter in 1 2
ip filter 1 reject * * udp dhcps,dhcpc dhcps,dhcpc
ip filter 2 pass * *
tunnel select none
heartbeat2 myname keepalive
heartbeat2 transmit 1 auth keepalive 192.168.2.1
heartbeat2 transmit interval 30
heartbeat2 transmit enable 1
tftp host 192.168.2.1-192.168.2.255
httpd host 192.168.2.1-192.168.2.255
7. 중요한 부분
브리지 설치.bridge member bridge1 lan1 tunnel1
ip bridge1 address 192.168.2.3/24
IPsec 터널 설정tunnel select 1
tunnel encapsulation l2tpv3
tunnel endpoint name <拠点2 DDNSホスト名>.i.open.ad.jp fqdn
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike keepalive use 1 on
ipsec ike keepalive log 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text <事前共有鍵>
ipsec ike remote address 1 <拠点2 DDNSホスト名>.i.open.ad.jp
l2tp hostname kyoten1-host
l2tp always-on on
l2tp tunnel auth on <L2TPトンネル認証パスワード>
l2tp tunnel disconnect time off
l2tp keepalive use on 5 10
l2tp keepalive log on
l2tp syslog on
l2tp remote end-id vpn
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select none
NAT 설정.IPsec이기 때문에 UDP 1701만 있어도 괜찮지만 L2 TPv3만 있는 경우 ESP, UDP 5004500도 넣습니다.nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 auto
nat descriptor masquerade static 1 1 192.168.2.1 esp
nat descriptor masquerade static 1 2 192.168.2.1 udp 500
nat descriptor masquerade static 1 3 192.168.2.1 udp 1701
nat descriptor masquerade static 1 4 192.168.2.1 udp 4500
IPsec 연결입니다.ipsec transport 1 101 udp 1701
ipsec auto refresh on
i.open.ad.jp에 IPv6 주소를 자동으로 업데이트합니다.i.open.ad.jp 사이트의 설명과 같이.schedule at 1 */* *:*:00 * lua -e "rt.command(\"ping6 <拠点1更新専用ホスト名>.i.open.ad.jp\")"
L2 TPv3을 활성화합니다.l2tp service on l2tpv3
DHCP 관련 패킷 없이 DHCP 서버로서 각 거점의 RTX1210을 사용합니다.(YAMAHA 웹 사이트에 설명된 대로)tunnel select 1
ip tunnel secure filter in 1 2
ip filter 1 reject * * udp dhcps,dhcpc dhcps,dhcpc
ip filter 2 pass * *
tunnel select none
하트비트 설정.나는 이렇게 해도 되는지 안 되는지 자신이 없다.heartbeat2 myname keepalive
heartbeat2 transmit 1 auth keepalive 192.168.2.2
heartbeat2 transmit interval 30
heartbeat2 transmit enable 1
8. 통신 속도
거점1과 거점2는 1도2현, L2 TPv3/IPsec, Windows 10 간 파일 공유(SMBv3)의 파일 복사본은 약 75Mbps이다.암호화 방식에는 AES, 3DES의 속도가 크게 떨어지지 않습니다.
IPsec이 없는 L2TPv3만 있으면 약 560Mbps가 나온다.2021/07/29 보충: 아이폰f3로 눈대중이 아닌 측정을 하면 더 느릴 것 같아요.속도 실념.
둘 다 네트워크 구성도를 보면 RTX1210은 HGW(PR-500KI)의 부하다.
IPsec이 없는 속도는 매력적이지만 안전성을 위해 IPsec가 사용됩니다.
비고
console lines infinity
login timer 300
no dhcp service
no dhcp server rfc2131 compliant except remain-silent
no dhcp scope 1
no ip lan1 address
console prompt kyoten1
ip lan1 address 192.168.2.1/24
ip lan2 address 192.168.1.254/24
ip lan2 nat descriptor 1
ip filter 500000 restrict * * * * *
ipv6 routing on
ipv6 lan2 address auto
ipv6 prefix 1 ra-prefix@lan2::/64
ipv6 lan1 address ra-prefix@lan2::1/64
ipv6 lan1 rtadv send 1 o_flag=on
ipv6 lan1 dhcp service server
description lan2 toHGW
ipv6 lan2 dhcp service client ir=on
ipv6 lan2 secure filter in 101000 101001 101002 101003 101004 101005 101006 101078
ipv6 lan2 secure filter out 101079 dynamic 101080 101081 101082 101083 101084 101085 101098 101099
ipv6 filter 101000 pass * * icmp6 * *
ipv6 filter 101001 pass * * tcp * ident
ipv6 filter 101002 pass * * udp * 546
ipv6 filter 101003 pass * * esp * *
ipv6 filter 101004 pass * * udp * 500
ipv6 filter 101005 pass * * udp * 1701
ipv6 filter 101006 pass * * udp * 4500
ipv6 filter 101078 reject * * * * *
ipv6 filter 101079 pass * * * * *
ipv6 filter dynamic 101080 * * ftp
ipv6 filter dynamic 101081 * * domain
ipv6 filter dynamic 101082 * * www
ipv6 filter dynamic 101083 * * smtp
ipv6 filter dynamic 101084 * * pop3
ipv6 filter dynamic 101085 * * submission
ipv6 filter dynamic 101098 * * tcp
ipv6 filter dynamic 101099 * * udp
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.2.10-192.168.2.49/24
dhcp scope option 1 router=192.168.2.1
dhcp scope option 1 dns=192.168.2.1
dns host lan1
dns service fallback on
dns server 2001:4860:4860::8888 2001:4860:4860::8844
dns server select 500000 dhcp lan2 any .
dns private address spoof on
dashboard accumulate traffic on
bridge member bridge1 lan1 tunnel1
ip bridge1 address 192.168.2.3/24
pp disable all
no tunnel enable all
tunnel select 1
tunnel encapsulation l2tpv3
tunnel endpoint name <拠点2 DDNSホスト名>.i.open.ad.jp fqdn
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike keepalive use 1 on
ipsec ike keepalive log 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text <事前共有鍵>
ipsec ike remote address 1 <拠点2 DDNSホスト名>.i.open.ad.jp
l2tp hostname kyoten1-host
l2tp always-on on
l2tp tunnel auth on <L2TPトンネル認証パスワード>
l2tp tunnel disconnect time off
l2tp keepalive use on 5 10
l2tp keepalive log on
l2tp syslog on
l2tp remote end-id vpn
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select none
nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 auto
nat descriptor masquerade static 1 1 192.168.2.1 esp
nat descriptor masquerade static 1 2 192.168.2.1 udp 500
nat descriptor masquerade static 1 3 192.168.2.1 udp 1701
nat descriptor masquerade static 1 4 192.168.2.1 udp 4500
ipsec transport 1 101 udp 1701
ipsec auto refresh on
ip route default gateway 192.168.1.1
schedule at 1 */* *:*:00 * lua -e "rt.command(\"ping6 <拠点1更新専用ホスト名>.i.open.ad.jp\")"
l2tp service on l2tpv3
tunnel select 1
ip tunnel secure filter in 1 2
ip filter 1 reject * * udp dhcps,dhcpc dhcps,dhcpc
ip filter 2 pass * *
tunnel select none
heartbeat2 myname keepalive
heartbeat2 transmit 1 auth keepalive 192.168.2.2
heartbeat2 transmit interval 30
heartbeat2 transmit enable 1
tftp host 192.168.2.1-192.168.2.255
httpd host 192.168.2.1-192.168.2.255
6. 거점 2 하이픈 console lines infinity
login timer 300
no dhcp service
no dhcp server rfc2131 compliant except remain-silent
no dhcp scope 1
no ip lan1 address
console prompt kyoten2
ip lan1 address 192.168.2.2/24
ip lan2 address 192.168.1.254/24
ip lan2 nat descriptor 1
ip filter 500000 restrict * * * * *
ipv6 routing on
ipv6 lan2 address auto
ipv6 prefix 1 ra-prefix@lan2::/64
ipv6 lan1 address ra-prefix@lan2::1/64
ipv6 lan1 rtadv send 1 o_flag=on
ipv6 lan1 dhcp service server
description lan2 toHGW
ipv6 lan2 dhcp service client ir=on
ipv6 lan2 secure filter in 101000 101001 101002 101003 101004 101005 101006 101078
ipv6 lan2 secure filter out 101079 dynamic 101080 101081 101082 101083 101084 101085 101098 101099
ipv6 filter 101000 pass * * icmp6 * *
ipv6 filter 101001 pass * * tcp * ident
ipv6 filter 101002 pass * * udp * 546
ipv6 filter 101003 pass * * esp * *
ipv6 filter 101004 pass * * udp * 500
ipv6 filter 101005 pass * * udp * 1701
ipv6 filter 101006 pass * * udp * 4500
ipv6 filter 101078 reject * * * * *
ipv6 filter 101079 pass * * * * *
ipv6 filter dynamic 101080 * * ftp
ipv6 filter dynamic 101081 * * domain
ipv6 filter dynamic 101082 * * www
ipv6 filter dynamic 101083 * * smtp
ipv6 filter dynamic 101084 * * pop3
ipv6 filter dynamic 101085 * * submission
ipv6 filter dynamic 101098 * * tcp
ipv6 filter dynamic 101099 * * udp
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.2.50-192.168.2.89/24
dhcp scope option 1 router=192.168.2.2
dhcp scope option 1 dns=192.168.2.2
dns host lan1
dns service fallback on
dns server 2001:4860:4860::8888 2001:4860:4860::8844
dns server select 500000 dhcp lan2 any .
dns private address spoof on
dashboard accumulate traffic on
bridge member bridge1 lan1 tunnel1
ip bridge1 address 192.168.2.4/24
pp disable all
no tunnel enable all
tunnel select 1
tunnel encapsulation l2tpv3
tunnel endpoint name <拠点1 DDNSホスト名>.i.open.ad.jp fqdn
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike keepalive use 1 on
ipsec ike keepalive log 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text <事前共有鍵>
ipsec ike remote address 1 <拠点1 DDNSホスト名>.i.open.ad.jp
l2tp hostname kyoten2-host
l2tp always-on on
l2tp tunnel auth on <L2TPトンネル認証パスワード>
l2tp tunnel disconnect time off
l2tp keepalive use on 5 10
l2tp keepalive log on
l2tp syslog on
l2tp remote end-id vpn
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select none
nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 auto
nat descriptor masquerade static 1 1 192.168.2.2 esp
nat descriptor masquerade static 1 2 192.168.2.2 udp 500
nat descriptor masquerade static 1 3 192.168.2.2 udp 1701
nat descriptor masquerade static 1 4 192.168.2.2 udp 4500
ipsec transport 1 101 udp 1701
ipsec auto refresh on
ip route default gateway 192.168.1.1
schedule at 1 */* *:*:00 * lua -e "rt.command(\"ping6 <拠点2更新専用ホスト名>.i.open.ad.jp\")"
l2tp service on l2tpv3
tunnel select 1
ip tunnel secure filter in 1 2
ip filter 1 reject * * udp dhcps,dhcpc dhcps,dhcpc
ip filter 2 pass * *
tunnel select none
heartbeat2 myname keepalive
heartbeat2 transmit 1 auth keepalive 192.168.2.1
heartbeat2 transmit interval 30
heartbeat2 transmit enable 1
tftp host 192.168.2.1-192.168.2.255
httpd host 192.168.2.1-192.168.2.255
7. 중요한 부분
브리지 설치.bridge member bridge1 lan1 tunnel1
ip bridge1 address 192.168.2.3/24
IPsec 터널 설정tunnel select 1
tunnel encapsulation l2tpv3
tunnel endpoint name <拠点2 DDNSホスト名>.i.open.ad.jp fqdn
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike keepalive use 1 on
ipsec ike keepalive log 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text <事前共有鍵>
ipsec ike remote address 1 <拠点2 DDNSホスト名>.i.open.ad.jp
l2tp hostname kyoten1-host
l2tp always-on on
l2tp tunnel auth on <L2TPトンネル認証パスワード>
l2tp tunnel disconnect time off
l2tp keepalive use on 5 10
l2tp keepalive log on
l2tp syslog on
l2tp remote end-id vpn
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select none
NAT 설정.IPsec이기 때문에 UDP 1701만 있어도 괜찮지만 L2 TPv3만 있는 경우 ESP, UDP 5004500도 넣습니다.nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 auto
nat descriptor masquerade static 1 1 192.168.2.1 esp
nat descriptor masquerade static 1 2 192.168.2.1 udp 500
nat descriptor masquerade static 1 3 192.168.2.1 udp 1701
nat descriptor masquerade static 1 4 192.168.2.1 udp 4500
IPsec 연결입니다.ipsec transport 1 101 udp 1701
ipsec auto refresh on
i.open.ad.jp에 IPv6 주소를 자동으로 업데이트합니다.i.open.ad.jp 사이트의 설명과 같이.schedule at 1 */* *:*:00 * lua -e "rt.command(\"ping6 <拠点1更新専用ホスト名>.i.open.ad.jp\")"
L2 TPv3을 활성화합니다.l2tp service on l2tpv3
DHCP 관련 패킷 없이 DHCP 서버로서 각 거점의 RTX1210을 사용합니다.(YAMAHA 웹 사이트에 설명된 대로)tunnel select 1
ip tunnel secure filter in 1 2
ip filter 1 reject * * udp dhcps,dhcpc dhcps,dhcpc
ip filter 2 pass * *
tunnel select none
하트비트 설정.나는 이렇게 해도 되는지 안 되는지 자신이 없다.heartbeat2 myname keepalive
heartbeat2 transmit 1 auth keepalive 192.168.2.2
heartbeat2 transmit interval 30
heartbeat2 transmit enable 1
8. 통신 속도
거점1과 거점2는 1도2현, L2 TPv3/IPsec, Windows 10 간 파일 공유(SMBv3)의 파일 복사본은 약 75Mbps이다.암호화 방식에는 AES, 3DES의 속도가 크게 떨어지지 않습니다.
IPsec이 없는 L2TPv3만 있으면 약 560Mbps가 나온다.2021/07/29 보충: 아이폰f3로 눈대중이 아닌 측정을 하면 더 느릴 것 같아요.속도 실념.
둘 다 네트워크 구성도를 보면 RTX1210은 HGW(PR-500KI)의 부하다.
IPsec이 없는 속도는 매력적이지만 안전성을 위해 IPsec가 사용됩니다.
비고
console lines infinity
login timer 300
no dhcp service
no dhcp server rfc2131 compliant except remain-silent
no dhcp scope 1
no ip lan1 address
console prompt kyoten2
ip lan1 address 192.168.2.2/24
ip lan2 address 192.168.1.254/24
ip lan2 nat descriptor 1
ip filter 500000 restrict * * * * *
ipv6 routing on
ipv6 lan2 address auto
ipv6 prefix 1 ra-prefix@lan2::/64
ipv6 lan1 address ra-prefix@lan2::1/64
ipv6 lan1 rtadv send 1 o_flag=on
ipv6 lan1 dhcp service server
description lan2 toHGW
ipv6 lan2 dhcp service client ir=on
ipv6 lan2 secure filter in 101000 101001 101002 101003 101004 101005 101006 101078
ipv6 lan2 secure filter out 101079 dynamic 101080 101081 101082 101083 101084 101085 101098 101099
ipv6 filter 101000 pass * * icmp6 * *
ipv6 filter 101001 pass * * tcp * ident
ipv6 filter 101002 pass * * udp * 546
ipv6 filter 101003 pass * * esp * *
ipv6 filter 101004 pass * * udp * 500
ipv6 filter 101005 pass * * udp * 1701
ipv6 filter 101006 pass * * udp * 4500
ipv6 filter 101078 reject * * * * *
ipv6 filter 101079 pass * * * * *
ipv6 filter dynamic 101080 * * ftp
ipv6 filter dynamic 101081 * * domain
ipv6 filter dynamic 101082 * * www
ipv6 filter dynamic 101083 * * smtp
ipv6 filter dynamic 101084 * * pop3
ipv6 filter dynamic 101085 * * submission
ipv6 filter dynamic 101098 * * tcp
ipv6 filter dynamic 101099 * * udp
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.2.50-192.168.2.89/24
dhcp scope option 1 router=192.168.2.2
dhcp scope option 1 dns=192.168.2.2
dns host lan1
dns service fallback on
dns server 2001:4860:4860::8888 2001:4860:4860::8844
dns server select 500000 dhcp lan2 any .
dns private address spoof on
dashboard accumulate traffic on
bridge member bridge1 lan1 tunnel1
ip bridge1 address 192.168.2.4/24
pp disable all
no tunnel enable all
tunnel select 1
tunnel encapsulation l2tpv3
tunnel endpoint name <拠点1 DDNSホスト名>.i.open.ad.jp fqdn
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike keepalive use 1 on
ipsec ike keepalive log 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text <事前共有鍵>
ipsec ike remote address 1 <拠点1 DDNSホスト名>.i.open.ad.jp
l2tp hostname kyoten2-host
l2tp always-on on
l2tp tunnel auth on <L2TPトンネル認証パスワード>
l2tp tunnel disconnect time off
l2tp keepalive use on 5 10
l2tp keepalive log on
l2tp syslog on
l2tp remote end-id vpn
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select none
nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 auto
nat descriptor masquerade static 1 1 192.168.2.2 esp
nat descriptor masquerade static 1 2 192.168.2.2 udp 500
nat descriptor masquerade static 1 3 192.168.2.2 udp 1701
nat descriptor masquerade static 1 4 192.168.2.2 udp 4500
ipsec transport 1 101 udp 1701
ipsec auto refresh on
ip route default gateway 192.168.1.1
schedule at 1 */* *:*:00 * lua -e "rt.command(\"ping6 <拠点2更新専用ホスト名>.i.open.ad.jp\")"
l2tp service on l2tpv3
tunnel select 1
ip tunnel secure filter in 1 2
ip filter 1 reject * * udp dhcps,dhcpc dhcps,dhcpc
ip filter 2 pass * *
tunnel select none
heartbeat2 myname keepalive
heartbeat2 transmit 1 auth keepalive 192.168.2.1
heartbeat2 transmit interval 30
heartbeat2 transmit enable 1
tftp host 192.168.2.1-192.168.2.255
httpd host 192.168.2.1-192.168.2.255
브리지 설치.
bridge member bridge1 lan1 tunnel1
ip bridge1 address 192.168.2.3/24
IPsec 터널 설정tunnel select 1
tunnel encapsulation l2tpv3
tunnel endpoint name <拠点2 DDNSホスト名>.i.open.ad.jp fqdn
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike keepalive use 1 on
ipsec ike keepalive log 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text <事前共有鍵>
ipsec ike remote address 1 <拠点2 DDNSホスト名>.i.open.ad.jp
l2tp hostname kyoten1-host
l2tp always-on on
l2tp tunnel auth on <L2TPトンネル認証パスワード>
l2tp tunnel disconnect time off
l2tp keepalive use on 5 10
l2tp keepalive log on
l2tp syslog on
l2tp remote end-id vpn
ip tunnel tcp mss limit auto
tunnel enable 1
tunnel select none
NAT 설정.IPsec이기 때문에 UDP 1701만 있어도 괜찮지만 L2 TPv3만 있는 경우 ESP, UDP 5004500도 넣습니다.nat descriptor type 1 masquerade
nat descriptor address outer 1 primary
nat descriptor address inner 1 auto
nat descriptor masquerade static 1 1 192.168.2.1 esp
nat descriptor masquerade static 1 2 192.168.2.1 udp 500
nat descriptor masquerade static 1 3 192.168.2.1 udp 1701
nat descriptor masquerade static 1 4 192.168.2.1 udp 4500
IPsec 연결입니다.ipsec transport 1 101 udp 1701
ipsec auto refresh on
i.open.ad.jp에 IPv6 주소를 자동으로 업데이트합니다.i.open.ad.jp 사이트의 설명과 같이.schedule at 1 */* *:*:00 * lua -e "rt.command(\"ping6 <拠点1更新専用ホスト名>.i.open.ad.jp\")"
L2 TPv3을 활성화합니다.l2tp service on l2tpv3
DHCP 관련 패킷 없이 DHCP 서버로서 각 거점의 RTX1210을 사용합니다.(YAMAHA 웹 사이트에 설명된 대로)tunnel select 1
ip tunnel secure filter in 1 2
ip filter 1 reject * * udp dhcps,dhcpc dhcps,dhcpc
ip filter 2 pass * *
tunnel select none
하트비트 설정.나는 이렇게 해도 되는지 안 되는지 자신이 없다.heartbeat2 myname keepalive
heartbeat2 transmit 1 auth keepalive 192.168.2.2
heartbeat2 transmit interval 30
heartbeat2 transmit enable 1
8. 통신 속도
거점1과 거점2는 1도2현, L2 TPv3/IPsec, Windows 10 간 파일 공유(SMBv3)의 파일 복사본은 약 75Mbps이다.암호화 방식에는 AES, 3DES의 속도가 크게 떨어지지 않습니다.
IPsec이 없는 L2TPv3만 있으면 약 560Mbps가 나온다.2021/07/29 보충: 아이폰f3로 눈대중이 아닌 측정을 하면 더 느릴 것 같아요.속도 실념.
둘 다 네트워크 구성도를 보면 RTX1210은 HGW(PR-500KI)의 부하다.
IPsec이 없는 속도는 매력적이지만 안전성을 위해 IPsec가 사용됩니다.
비고
BIGLOBE IPv6 옵션 램프를 신청하여 IPv6 옵션을 해지한 후 바로 IPv6 옵션을 신청합니다. 이틀 후(토요일 월요일 신청)
IPoE로 전환합니다.라이트를 신청한 후 IPv6 옵션이 해약되었습니다. 이것은 BIGLOBE의 전화 지원이 저에게 알려준 정보입니다.
HGW를 초기 상태로 만들어도 안 된다면 이런 방법도 있다.
10. 참조 사이트
YAMAHA 라우터 사용 방법 - OPEN IPv6 동적 DNS for 피츠 광 다음 단계
YAMAHA 라우터 "RTX1200"을 사용하여 IPv6 폴백 통신 L2 TPv3을 설정하는 방법(소프트 이더넷 OPEN DDNS 사용)
Fritz 네트워크의 편안한 IPv6를 사용하여 VPN을 구축하는 방법
YAMAHA 사내 네트워크(L2 TPv3)
YAMAHA RTX 시리즈의 L2 TPv3 사용 VPN 연결 방법(IPv4, IPv6 대응) - SoftEther VPN 프로젝트
RTX1000을 해봐도 VPN으로 어떻게 Packet loss.
IPv6의 DNS 서버를 Public DNS로 설정: (임시) 제목은 언제 결정됩니까: So-net 블로그
11. 야마하 공식 정보
L2 TPv3을 사용하는 L2 VPN
브리지 커넥터(브리지 기능)
IPsec 설정 가이드
두 거점 사이에 같은 단락의 네트워크를 구축하다
VPN(Ipsec)에 연결할 수 없음
v6 대응 기능 추가
Reference
이 문제에 관하여(YAMAHA RTX1210 2대의 프레이츠 네트워크를 사용하여 통신하는 L2 TPv3/IPsec 통신), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/mayo00/items/774b650215959925d89c
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
L2 TPv3을 사용하는 L2 VPN
브리지 커넥터(브리지 기능)
IPsec 설정 가이드
두 거점 사이에 같은 단락의 네트워크를 구축하다
VPN(Ipsec)에 연결할 수 없음
v6 대응 기능 추가
Reference
이 문제에 관하여(YAMAHA RTX1210 2대의 프레이츠 네트워크를 사용하여 통신하는 L2 TPv3/IPsec 통신), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/mayo00/items/774b650215959925d89c텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)